]>
Commit | Line | Data |
---|---|---|
95214b43 | 1 | =pod |
5e98904c | 2 | {- OpenSSL::safe::output_do_not_edit_headers(); -} |
95214b43 SL |
3 | |
4 | =head1 NAME | |
5 | ||
6 | openssl-fipsinstall - perform FIPS configuration installation | |
7 | ||
8 | =head1 SYNOPSIS | |
9 | ||
10 | B<openssl fipsinstall> | |
11 | [B<-help>] | |
e8769719 RS |
12 | [B<-in> I<configfilename>] |
13 | [B<-out> I<configfilename>] | |
14 | [B<-module> I<modulefilename>] | |
15 | [B<-provider_name> I<providername>] | |
16 | [B<-section_name> I<sectionname>] | |
95214b43 | 17 | [B<-verify>] |
e8769719 RS |
18 | [B<-mac_name> I<macname>] |
19 | [B<-macopt> I<nm>:I<v>] | |
36fc5fc6 | 20 | [B<-noout>] |
1cd2c1f8 | 21 | [B<-quiet>] |
35e6ea3b | 22 | [B<-no_conditional_errors>] |
991a6bb5 | 23 | [B<-no_security_checks>] |
2abffec0 | 24 | [B<-self_test_onload>] |
36fc5fc6 SL |
25 | [B<-corrupt_desc> I<selftest_description>] |
26 | [B<-corrupt_type> I<selftest_type>] | |
9f7bdcf3 | 27 | [B<-config> I<parent_config>] |
95214b43 | 28 | |
95214b43 SL |
29 | =head1 DESCRIPTION |
30 | ||
35a810bb | 31 | This command is used to generate a FIPS module configuration file. |
d03b3158 RS |
32 | This configuration file can be used each time a FIPS module is loaded |
33 | in order to pass data to the FIPS module self tests. The FIPS module always | |
2abffec0 | 34 | verifies its MAC, but optionally only needs to run the KAT's once, |
d03b3158 RS |
35 | at installation. |
36 | ||
95214b43 SL |
37 | The generated configuration file consists of: |
38 | ||
39 | =over 4 | |
40 | ||
d03b3158 RS |
41 | =item - A MAC of the FIPS module file. |
42 | ||
43 | =item - A test status indicator. | |
95214b43 | 44 | |
d03b3158 RS |
45 | This indicates if the Known Answer Self Tests (KAT's) have successfully run. |
46 | ||
47 | =item - A MAC of the status indicator. | |
95214b43 | 48 | |
35e6ea3b SL |
49 | =item - A control for conditional self tests errors. |
50 | ||
51 | By default if a continuous test (e.g a key pair test) fails then the FIPS module | |
52 | will enter an error state, and no services or cryptographic algorithms will be | |
53 | able to be accessed after this point. | |
54 | The default value of '1' will cause the fips module error state to be entered. | |
55 | If the value is '0' then the module error state will not be entered. | |
56 | Regardless of whether the error state is entered or not, the current operation | |
57 | (e.g. key generation) will return an error. The user is responsible for retrying | |
58 | the operation if the module error state is not entered. | |
59 | ||
991a6bb5 SL |
60 | =item - A control to indicate whether run-time security checks are done. |
61 | ||
62 | This indicates if run-time checks related to enforcement of security parameters | |
63 | such as minimum security strength of keys and approved curve names are used. | |
64 | The default value of '1' will perform the checks. | |
65 | If the value is '0' the checks are not performed and FIPS compliance must | |
66 | be done by procedures documented in the relevant Security Policy. | |
67 | ||
95214b43 SL |
68 | =back |
69 | ||
d03b3158 | 70 | This file is described in L<fips_config(5)>. |
95214b43 SL |
71 | |
72 | =head1 OPTIONS | |
73 | ||
74 | =over 4 | |
75 | ||
76 | =item B<-help> | |
77 | ||
78 | Print a usage message. | |
79 | ||
e8769719 | 80 | =item B<-module> I<filename> |
95214b43 | 81 | |
d03b3158 | 82 | Filename of the FIPS module to perform an integrity check on. |
9a62ccbe SL |
83 | The path provided in the filename is used to load the module when it is |
84 | activated, and this overrides the environment variable B<OPENSSL_MODULES>. | |
95214b43 | 85 | |
e8769719 | 86 | =item B<-out> I<configfilename> |
95214b43 | 87 | |
d03b3158 | 88 | Filename to output the configuration data to; the default is standard output. |
95214b43 | 89 | |
e8769719 | 90 | =item B<-in> I<configfilename> |
95214b43 | 91 | |
eb78f955 RS |
92 | Input filename to load configuration data from. |
93 | Must be used if the B<-verify> option is specified. | |
95214b43 SL |
94 | |
95 | =item B<-verify> | |
96 | ||
d03b3158 | 97 | Verify that the input configuration file contains the correct information. |
95214b43 | 98 | |
e8769719 | 99 | =item B<-provider_name> I<providername> |
95214b43 SL |
100 | |
101 | Name of the provider inside the configuration file. | |
5744dacb | 102 | The default value is C<fips>. |
95214b43 | 103 | |
e8769719 | 104 | =item B<-section_name> I<sectionname> |
95214b43 SL |
105 | |
106 | Name of the section inside the configuration file. | |
5744dacb | 107 | The default value is C<fips_sect>. |
95214b43 | 108 | |
e8769719 | 109 | =item B<-mac_name> I<name> |
95214b43 SL |
110 | |
111 | Specifies the name of a supported MAC algorithm which will be used. | |
d03b3158 RS |
112 | The MAC mechanisms that are available will depend on the options |
113 | used when building OpenSSL. | |
35a810bb RL |
114 | To see the list of supported MAC's use the command |
115 | C<openssl list -mac-algorithms>. The default is B<HMAC>. | |
95214b43 | 116 | |
e8769719 | 117 | =item B<-macopt> I<nm>:I<v> |
95214b43 SL |
118 | |
119 | Passes options to the MAC algorithm. | |
120 | A comprehensive list of controls can be found in the EVP_MAC implementation | |
121 | documentation. | |
31214258 | 122 | Common control strings used for this command are: |
95214b43 SL |
123 | |
124 | =over 4 | |
125 | ||
2f0ea936 | 126 | =item B<key>:I<string> |
95214b43 SL |
127 | |
128 | Specifies the MAC key as an alphanumeric string (use if the key contains | |
129 | printable characters only). | |
130 | The string length must conform to any restrictions of the MAC algorithm. | |
131 | A key must be specified for every MAC algorithm. | |
31214258 RS |
132 | If no key is provided, the default that was specified when OpenSSL was |
133 | configured is used. | |
95214b43 | 134 | |
2f0ea936 | 135 | =item B<hexkey>:I<string> |
95214b43 SL |
136 | |
137 | Specifies the MAC key in hexadecimal form (two hex digits per byte). | |
138 | The key length must conform to any restrictions of the MAC algorithm. | |
139 | A key must be specified for every MAC algorithm. | |
31214258 RS |
140 | If no key is provided, the default that was specified when OpenSSL was |
141 | configured is used. | |
95214b43 | 142 | |
2f0ea936 | 143 | =item B<digest>:I<string> |
95214b43 SL |
144 | |
145 | Used by HMAC as an alphanumeric string (use if the key contains printable | |
146 | characters only). | |
147 | The string length must conform to any restrictions of the MAC algorithm. | |
35a810bb RL |
148 | To see the list of supported digests, use the command |
149 | C<openssl list -digest-commands>. | |
31214258 | 150 | The default digest is SHA-256. |
95214b43 SL |
151 | |
152 | =back | |
153 | ||
36fc5fc6 SL |
154 | =item B<-noout> |
155 | ||
156 | Disable logging of the self tests. | |
157 | ||
35e6ea3b SL |
158 | =item B<-no_conditional_errors> |
159 | ||
160 | Configure the module to not enter an error state if a conditional self test | |
161 | fails as described above. | |
162 | ||
991a6bb5 SL |
163 | =item B<-no_security_checks> |
164 | ||
165 | Configure the module to not perform run-time security checks as described above. | |
35e6ea3b | 166 | |
2abffec0 SL |
167 | =item B<-self_test_onload> |
168 | ||
169 | Do not write the two fields related to the "test status indicator" and | |
170 | "MAC status indicator" to the output configuration file. Without these fields | |
171 | the self tests KATS will run each time the module is loaded. This option could be | |
172 | used for cross compiling, since the self tests need to run at least once on each | |
173 | target machine. Once the self tests have run on the target machine the user | |
174 | could possibly then add the 2 fields into the configuration using some other | |
175 | mechanism. | |
176 | ||
1cd2c1f8 | 177 | =item B<-quiet> |
36fc5fc6 | 178 | |
1cd2c1f8 RS |
179 | Do not output pass/fail messages. Implies B<-noout>. |
180 | ||
181 | =item B<-corrupt_desc> I<selftest_description>, | |
182 | B<-corrupt_type> I<selftest_type> | |
36fc5fc6 | 183 | |
d03b3158 | 184 | The corrupt options can be used to test failure of one or more self tests by |
36fc5fc6 | 185 | name. |
d03b3158 RS |
186 | Either option or both may be used to select the tests to corrupt. |
187 | Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for | |
36fc5fc6 SL |
188 | values that can be used. |
189 | ||
9f7bdcf3 SL |
190 | =item B<-config> I<parent_config> |
191 | ||
192 | Test that a FIPS provider can be loaded from the specified configuration file. | |
193 | A previous call to this application needs to generate the extra configuration | |
194 | data that is included by the base C<parent_config> configuration file. | |
195 | See L<config(5)> for further information on how to set up a provider section. | |
196 | All other options are ignored if '-config' is used. | |
197 | ||
95214b43 SL |
198 | =back |
199 | ||
200 | =head1 EXAMPLES | |
201 | ||
1948394d | 202 | Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test |
433deaff | 203 | for the module, and save the F<fips.cnf> configuration file: |
95214b43 | 204 | |
991a6bb5 | 205 | openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips |
95214b43 | 206 | |
433deaff | 207 | Verify that the configuration file F<fips.cnf> contains the correct info: |
95214b43 | 208 | |
991a6bb5 | 209 | openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify |
95214b43 | 210 | |
d03b3158 | 211 | Corrupt any self tests which have the description C<SHA1>: |
36fc5fc6 | 212 | |
433deaff | 213 | openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \ |
d03b3158 | 214 | -corrupt_desc 'SHA1' |
95214b43 | 215 | |
9f7bdcf3 SL |
216 | Validate that the fips module can be loaded from a base configuration file: |
217 | ||
218 | export OPENSSL_CONF_INCLUDE=<path of configuration files> | |
c9dcbc07 | 219 | export OPENSSL_MODULES=<provider-path> |
9f7bdcf3 SL |
220 | openssl fipsinstall -config' 'default.cnf' |
221 | ||
222 | ||
95214b43 SL |
223 | =head1 SEE ALSO |
224 | ||
9f7bdcf3 | 225 | L<config(5)>, |
95214b43 | 226 | L<fips_config(5)>, |
36fc5fc6 | 227 | L<OSSL_PROVIDER-FIPS(7)>, |
95214b43 SL |
228 | L<EVP_MAC(3)> |
229 | ||
230 | =head1 COPYRIGHT | |
231 | ||
3c2bdd7d | 232 | Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. |
95214b43 | 233 | |
a6ed19dc | 234 | Licensed under the Apache License 2.0 (the "License"). You may not use |
95214b43 SL |
235 | this file except in compliance with the License. You can obtain a copy |
236 | in the file LICENSE in the source distribution or at | |
237 | L<https://www.openssl.org/source/license.html>. | |
238 | ||
239 | =cut |